Why?

Many organizations rely on tools such as Censys, BinaryEdge, FOFA, Shodan, ZoomEye for internet-wide scanning data, but these services come with limitations. Specific scenarios include:

• Discerning devices predisposed to exploitation, contingent upon the invocation of a particularized HTTP URI to effectuate compromise

• Elucidating the architecture of malware command-and-control (C2) protocols reliant upon a singularized request payload as the medium for communicative exchange

  • In turn, identify C2s before they are operationalized by an adversary

While they provide extremely valuable insights, their scans are predefined and generic, meaning you’re restricted to the types of scans they decide to run. You can search their databases, but you can't customize the probes, adjust request paths, or craft your own scanning logic based on your unique requirements.

This lack of flexibility leaves organizations dependent on publicly available datasets, often missing specific relevant infrastructure. You’re stuck waiting for someone else to decide what gets scanned and when.

With Infrawatch’s On-Demand Scanning, that changes. You’re in control of what to scan, how to scan it, and when. On-Demand Scanning allows you to tailor scans to meet your operational requirements - all distributed to Infrawatch's worldwide, distributed, scanning network. You can configure scans to target specific:

• IPv4 or IPv6 ranges

• Countries

• Autonomous System Numbers (ASNs)

• Or, even the entire IPv4 internet (0.0.0.0/0)

Additionally, you can go beyond basic network scans by leveraging application-layer protocols like HTTP, customizing request URIs (e.g., /my-custom-path) to probe deeper into responses generic scans would miss. Infrawatch attached to your tenant are automatically applied, making post-processing of your scans easy.

For Current Users

Infrawatch’s On-Demand Customizable Scanning is exclusively available to vetted Premium users. To get started:

1. Log into the Infrawatch Dashboard
   Navigate to On-Demand → Scans to access the scanning configuration panel.

2. Define Your Scanning Parameters
   Easily configure your scan by selecting from flexible options like HTTP URIs, TCP probes, or specific IPv4/IPv6 ranges. Target your scans by countries, ASNs, or even run a comprehensive internet-wide scan.

3. Launch Your Scan in Real-Time
   Once configured, initiate your scan with a click. Infrawatch’s distributed network begins probing your targets immediately, delivering results as they come in.

4. Download, Review, and Act on Results
   After your scan completes, download the results in a format that integrates seamlessly with your existing security workflows. Use the dashboard to review findings or set up automatic triggers with Infrawatch YARA Rules to flag potential matches instantly.

With Infrawatch, you can take full control of your scans — no more waiting on predefined scans from third-party databases. Build, run, and customize your internet-wide scans based on your unique operational requirements.

Example Use Case: Identifying Ivanti Connect Secure VPN Devices

When a new high-priority vulnerability is discovered, such as the recent Ivanti Connect Secure VPN vulnerability, waiting for your Attack Surface Management solution or someone else's scans to catch up is not an option.

With Infrawatch, you can act immediately.

A critical flaw was recently discovered in Ivanti's VPN devices likely being exploited by a suspected China-nexus adversary, which could allow remote attackers to execute arbitrary code and gain access to sensitive systems (as reported by Google Cloud’s Threat Intelligence Team [1]).

With Infrawatch, you can customize your scans to search for devices affected by this vulnerability. For instance, by specifying the relevant HTTP URIs such as those tied to Ivanti Connect Secure VPN devices in your On-Demand scan configuration:

• /dana-cached/hc/hc_launcher.22.7.2.2615.jar

• /dana-cached/hc/hc_launcher.22.7.2.3191.jar

• /dana-cached/hc/hc_launcher.22.7.2.3221.jar

• /dana-cached/hc/hc_launcher.22.7.2.3431.jar

You could also specify a particular ASN or country to narrow your focus and scan only regions or networks you are interested in.

Additionally, an Infrawatch rule attached to your account may be used to filter for valid responses of your target, such as:

import "infrawatch"

rule invanti_response
{
  condition:
    // check JAR magic (ZIP)
    uint32(infrawatch.http.body) == 0x504B0304
    // start of path to JAR used by Ivanti
    infrawatch.http.uri contains "dana-cached/hc/hc_launcher"

This targeted approach helps ensure that your efforts are focused where they matter most, reducing the time and resources required to mitigate risks - and not having to wait for 3rd-party internet-wide scanners to update.

Key Data Handling Features

• Downloadable Results: Download your scan results in machine-readable formats (JSON, CSV), making it simple to integrate with your current tooling. You have full control over when and how you access your results.

• Infrawatch Rules Integration: After completing a scan, you can automatically hit your Infrawatch YARA Rules to flag and filter for specific responses.

Footnotes

[1] Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation - https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day